[Openstack] Real-world policy.json and keystone settings
Kevin L. Mitchell
kevin.mitchell at rackspace.com
Fri Dec 6 17:11:19 UTC 2013
On Thu, 2013-12-05 at 19:03 -0600, Scott Devoid wrote:
> The TL;DR - We ran into problems with permissions for users within the
> same tenant. With the current access controls it is impossible to fix
> this without isolating each user in a personal project. Can we fix the
> policy.json grammar to give us the access controls we want, or am I
> stupid and missing something?
I believe there is support for getting the functionality you want. For
any of the objects that have a user_id, you can use the policy rule
"user_id:%(user_id)s", which will only be true if the user_id in the
context is the same as the user_id on the object access is being checked
against. You might want to try that rule and see if it gives you what
you want…
--
Kevin L. Mitchell <kevin.mitchell at rackspace.com>
Rackspace
--
Kevin L. Mitchell <kevin.mitchell at rackspace.com>
Rackspace
More information about the Openstack
mailing list